The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Firefox 3.0.5 not deleting session/transient cookie on browser close

Hi all, I've found something I think is a bit interesting, wondering if anyone has any insight on the following.

I have a log in/private section where a cookie is set upon successful login credentials. I also have a "remember me" option so the user won't have to log back in if they revisit before the cookie expires.

I'm setting my session cookie to expire on browser close (which seems to work fine for browsers other than Firefox) as follows:

Code:

setcookie('access'); //transient cookie, expires when browser closes

My cookie for my "remember me" option is as follows:

Code:

if(isset($_POST['remember'])){
setcookie('access', md5(uniqid(rand())), time()+60); //EXPIRES IN ONE SECOND FOR TESTING
}

The login page checks for the cookie, if it isn't set, it redirects the user.

With the "remember me" option checked on login, you can refresh the protected page for 1 minute (then the cookie expires). After that, you're redirected. This works fine.

Without the "remember me" option, if I quit/relaunch Firefox, the cookie persists. If I view the cookie information, it says:

Expires: At End Of Session

To get it to work in Firefox, I have to close that browser tab, then quit/relaunch Firefox, then try to access my protected page directly via url (in which case I'm redirected).

If I quit Firefox with the protected page tab open, then relaunch, Firefox appears to not delete session cookies. Have other people experienced this and is this expected behavior in Firefox?

I don't have Firefox 3, but AFAIK if the browser is closed with any tabs open when the browsers is started again those sessions are "restored". Therefore, until the tab is closed there is no "End of Session". Although there may be an option at start-up for either "restore" or "new".

I have had sessions restart when restoring a prior Firefox session. Firefox only gives the option to save the currently open tabs (and their associated session cookies) if you have more than one tab open at the time of closing the browser so as long as you close all but one of the tabs before closing the browser or answer no to saving the session when closing the browser with more than one tab open then the session will be closed. If you answer yes to saving the session then Firefox will obey you and save it. If there is one saved then when you next open Firefox it will ask if you want to restore what was saved or delete it and start from your default setup.

If I quit Firefox with the protected page tab open, then relaunch, Firefox appears to not delete session cookies. Have other people experienced this and is this expected behavior in Firefox?

Yes, I've just discovered it while developing a Rails app, and I found it highly surprising. It seems to be commonly understood that cookies without an expiry date are stored only in RAM, and therefore are lost when the browser quits. For example, Wikipedia page HTTP_cookie#Cookie_attributes says:

"If no expiration date is provided, the cookie is deleted at the end of the user session, that is, when the user quits the browser. As a result, specifying an expiration date is a means for making cookies survive across browser sessions. For this reason, cookies that have an expiration date are called persistent."

The nearest I could find to an authoritative reference was RFC 2109, which says that if the incoming request does not have a Max-Age attribute, then "The default behavior is to discard the cookie when the user agent exits"

It seems that Firefox has changed this default such that these cookies are in fact persisted to disk.

I can't see a way to get the normal behaviour in Firefox. I could select "keep until: I close Firefox", but I imagine that will purge all cookies, not just ones which expire at the end of the session.